Could this standard help you meet your legal obligations? Is it overkill for your size of organisation? If you wanted to achieve certification, how would you do it?